From 1f2a44214c88f7ab32e09a7fed6e0406020ad3ed Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Mon, 3 Apr 2017 14:15:08 -0700
Subject: [PATCH] tag_release: always sign release tags

---
 tag_release | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tag_release b/tag_release
index d8b37c526c..1d7e380caa 100755
--- a/tag_release
+++ b/tag_release
@@ -34,6 +34,7 @@ DEFINE_string sdk_version "${COREOS_VERSION_ID}" \
 DEFINE_boolean branch ${DEFAULT_BRANCH} "Release branch, diverge from master"
 DEFINE_boolean push ${FLAGS_FALSE} "Push to public manifest repository."
 DEFINE_string remote "origin" "Remote name or URL to push to."
+DEFINE_string signer '' "Alternate GPG key ID used to sign the tag."
 
 # Parse flags
 FLAGS "$@" || exit 1
@@ -65,6 +66,11 @@ if [[ "${FLAGS_sdk_version}" == "${BRANCH_VERSION}" ]]; then
         "Try --sdk_version keep to use the existing SDK."
 fi
 
+sign_args=( -s )
+if [ -n "${FLAGS_signer}" ]; then
+    sign_args=( -u "${FLAGS_signer}" )
+fi
+
 cd "${REPO_MANIFESTS_DIR}"
 
 # Clean up existing branch manifest(s) excluding:
@@ -108,10 +114,14 @@ COREOS_SDK_VERSION=${FLAGS_sdk_version}
 EOF
 git add version.txt
 
+# Help various pinentry programs find the tty.
+GPG_TTY=$(tty)
+export GPG_TTY
+
 info "Creating ${BRANCH_NAME} and tag ${TAG_NAME}"
 git commit -m "${BRANCH_NAME}: release ${TAG_NAME}"
 git branch -f "${BRANCH_NAME}"
-git tag -m "CoreOS ${TAG_NAME}" "${TAG_NAME}"
+git tag "${sign_args[@]}" -m "CoreOS ${TAG_NAME}" "${TAG_NAME}"
 
 if [[ ${FLAGS_push} -eq ${FLAGS_TRUE} ]]; then
     master="HEAD:refs/heads/master"